# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: workspace
  version: default
  rules:

    - actions: ["create"]
      effect: EFFECT_ALLOW
      roles: ["super"]

    - actions: ["read"]
      effect: EFFECT_ALLOW
      roles: ["super", "admin", "user"]
      condition:
        match:
          expr: R.attr.id in P.attr.workspaceIds

    - actions: ["update"]
      effect: EFFECT_ALLOW
      roles: ["super", "admin"]
      condition:
        match:
          expr: R.attr.id in P.attr.workspaceIds

    - actions: ["delete"]
      effect: EFFECT_ALLOW
      roles: ["super"]
      condition:
        match:
          expr: R.attr.id in P.attr.workspaceIds